[whatwg] Iframe dimensions
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Jul 5 17:35:27 PDT 2010
On 7/5/10 12:37 PM, Markus Ernst wrote:
> I can't imagine how the information about the computed width and height
> can be abused - would you mind giving an example?
Sure. For example, you can often use this to detect whether the user is
currently logged into the site in the iframe, which is a privacy leak.
Depending on the target site, other things that might be exposed this
way are things like the number of credit card transactions the user has
performed in the last month, the number of phone calls the user has made
in the last month... you get the idea.
> A possible workaround to security issues could be an element to be set
> in the included document, such as a meta tag that contains a comma
> separated list of domains that are allowed to include the document, and
> also get informations about dimensions and such. Some kind of:
> <meta name="allow-embedding" content="whatwg.org, mozilla.com">
How is this different from allowing opt-in into seamless iframes across
origins?
> Also, if this is a potential danger, should the 2 list paragraphs about
> width and height in the part on @seamless be removed at all? As far as I
> understand, the effects of @seamless require the iframe source to be
> from the same origin as the parent document, thus I think that width and
> height of an iframe should be computed independent from @seamless. Else,
> the whole page layout is likely to change if the iframe source is
> navigated from a same-origin document to one from another origin.
Yes, it will. Why is this a problem?
> There has been no reason for authors to apply this declaration so far,
> but if anyone did, he/she wanted the rendering I suggest.
Experience shows this to not be the case. People blindly apply CSS
without thinking through the implications as long as the current
rendering is "right"; I will bet money there are pages out there that
use display:block on iframes just to get linebreaks before/after and
will break if the sizing behavior changes.
-Boris
More information about the whatwg
mailing list